Document security ensures that only authorized users can
use your documents. Using document security, you can safely distribute
any information that you have saved in a supported format. Supported
file formats include:

Using document security, you can easily create, store, and apply predefined confidentiality settings to your documents. To prevent information from spreading beyond your reach, you can also monitor and control how recipients use your documents after you distribute them.

You can protect documents by using policies. A policy is a collection of information that includes confidentiality settings and a list of authorized users. The confidentiality settings you specify in a policy determine how a recipient can use a document to which you apply the policy. For example, you can specify whether recipients can print or copy text, edit text, or add signatures and comments to protected documents.

Document security users create policies through the end-user web pages. Administrators use the document security web pages to create policy sets that contain shared policies that are available to all authorized users.

Although policies are stored in document security, you apply them to documents through your client application. How to apply policies to PDF documents is described in detail in Acrobat Help. Applying policies by using other applications, such as Microsoft Office, is documented in the Acrobat Reader DC extensions Help for the application.

When you apply a policy to a document, the confidentiality settings specified in the policy protect the information that the document contains. The confidentiality settings also protect any files (text, audio, or video) within a PDF document. You can distribute the policy-protected document to recipients who are authorized by the policy.

Document
access control and auditing

Using a policy to protect
a document gives you ongoing control over that document, even after
you distribute it. You can monitor the document, make changes to
the policy, prevent users from continuing to access the document, and
switch the policy that is applied to the document.

Through
document security, you can monitor policy-protected documents and track
events, such as when an authorized or unauthorized user attempts
to open the document.

Components

Document
security consists of a server and user interface:

Server: The
central component through which document security performs transactions
such as user authentication, real-time management of policies, and application
of confidentiality. The server also provides a central repository
for policies, audit records, and other related information.

Web pages: The
interface where you create policies, manage your policy-protected
documents, and monitor events that are associated with policy-protected
documents. Administrators can also configure global options such
as user authentication, auditing, and messaging for invited users,
and manage invited user accounts.

The steps in
the illustration are as follows:

The document owner
creates policies using the web pages. Document owners can create
personal policies that are accessible only to them. Administrators and
policy set coordinators can create shared policies within policy
sets that are accessible to authorized users.

The document owner applies the policy, and then saves and
distributes the document. The document can be distributed by email,
through a network folder, or on a website.

The recipient opens the document in the appropriate client
application. The recipient can use the document according to its
policy.

The document owner, policy set coordinator, or administrator
can track documents and modify access to them using the web pages.

About document security users

Various types of users work with document security to accomplish
different tasks:

The system administrator or other information systems
(IS) person installs and configures document security. This person
may also be responsible for configuring global settings for the
server, web pages, and policies and documents.

Document security administrators create policies and policy
sets, and manage policy-protected documents for users as required.
They also create invited user accounts, and monitor system, document,
user, policy, policy set, and custom events. They may also be responsible
for configuring the global server, and web page and policy settings
in conjunction with a system administrator.

Administrators
can assign users the following roles in the User Management area
of administration console. Users who are assigned these roles perform their
tasks in the document security user interface area of administration console.

Document security super administrator

Users with this role have access to all of the document security
settings in administration console. These permissions are associated
with the role:

Manage configuration

Manage policy

Manage policy sets

Manage documents

Manage document publishers

Manage invited and local users

View events

Delegate

Invite external users

Document security administrator

Users with this role can configure the document security
server, using the Configuration page in document security section
of administration console. This permission is associated with the
role, Manage Configuration.

Note: Users with this
role must also have the administration console User role to be able
to log in to administration console and edit any configuration-related settings.

Document security policy set administrator

Users with this role can use the document security section
of administration console to edit other users’ polices and to create,
edit, and delete policy sets. When a policy set administrator creates
a policy set, they can assign a policy set coordinator to that policy
set. These permissions are associated with the role:

Manage policy

Manage policy sets

Manage documents

Manage document publishers

View events

Delegate

Note: Users with this
role must also have the administration console User role to be able
to log in to administration console and edit any configuration-related settings.

Document security manage invited and local users

Users with this role can perform tasks required to manage
all invited and local users on the relevant document security web
pages. These permissions are associated with the role:

Manage invited and local users

Invite external users

Access end-user web pages

Note: Users
with this role must also have the administration console User role
to be able to log in to administration console and edit any configuration-related settings.

Document security invite user

Users with this role can invite users. These permissions
are associated with the role:

Invite external users

Access end-user web pages

Document security end user

Users with this role can access document security end-user
web pages. This role can also be assigned to administrators to allow
administrators to create policies using the end-user pages. This permission
is associated with the role Access end-user web pages.

Users within the organization who have valid document security
accounts create their own policies, use policies to protect documents,
track and manage their policy-protected documents, and monitor events
that are related to their documents.

Policy set coordinators manage documents, view events, and
manage other policy set coordinators (based on their permissions).
Administrators designate users as policy set coordinators for particular
policy sets.

Users who are external to your organization (for example,
a business partner) can use policy-protected documents if they are
in the document security document security directory, if the administrator
creates an account for them, or if they register with document security
through an automated email invitation process. Depending on how
the administrator enables the access settings, the invited users
may also have permission to apply policies to documents, to create,
modify and delete their policies, and to invite other external users
to use their policy-protected documents.

Developers use the AEM forms SDK to integrate custom applications
with document security.

Document
security administrators can create custom roles by using the following
permissions in User Management:

Document security Manage Configuration

Document security Manage Invited and Local Users

Document security Manage Policy Sets

Document security Manage Policy Sets

Document security View Server Events

Document security Change Policy Owner

Policies and policy-protected documents

A policy defines a set of confidentiality settings
and users who can access a document to which the policy is applied.
A policy also enables the permissions on a document to be changed
dynamically. It gives the person who secures the document permission
to change the confidentiality settings to revoke access to the document
or to switch the policy.

Policy protection can be applied to a PDF document by using Adobe
Acrobat® Pro and Acrobat Standard. Policy
protection can be applied to other file types, such as Microsoft
Word, Excel, and PowerPoint files, by using the client application
with the appropriate Acrobat Reader DC extensions installed.

How policies work

Policies contain information about the authorized users
and the confidentiality settings to apply to documents. Users can
be any one in your organization, as well as people who are external
to your organization who have an account. If the administrator enables
the user invitation feature, it is even possible to add new users
to policies, therefore initiating a registration invitation email
process.

The confidentiality settings in a policy determine how the recipients
can use the document. For example, you can specify whether recipients
can print or copy text, make changes, or add signatures and comments
to protected documents. The same policy can also specify different
confidentiality settings for specific users.

Merk:

Confidentiality settings that are applied through
a policy override any settings that may have been applied to a PDF
document in Acrobat by using the password or certificate security
options. (See Acrobat Help for more information.)

Users and administrators create policies through the document
security web pages. Only one policy at a time can be applied to
a document. You can apply a policy by using one of these methods:

Open the document in Acrobat or another client application
and select a policy to secure the document.

Send a document as an email attachment in Microsoft Outlook.
In this case, you can select a policy from a list of policies or
select an auto-generated policy that Acrobat creates with a default
set of confidentiality settings to protect the document only for
the email message recipients.

A policy can be removed from a document by using the client application.

The steps in the diagram are as follows:

The document owner secures the document from a supported
client application with a policy that allows online use.

Document security creates a document license and document
keys, and encrypts the policy. The document license, encrypted policy,
and document key are returned to the client application.

The document is encrypted with the document key, and the
document key is discarded. The document now embeds the license and
policy. These tasks are performed in the supported client application.

When you apply a policy to a document, the information that the
document contains, including any contained files (text, audio, or
video) in PDF documents, is protected by the confidentiality settings
that are specified in the policy. Document security generates a
license and encryption information that is then embedded in the
document. When you distribute the document, document security can
authenticate the recipients who attempt to open the document and authorize
access according to the privileges specified in the policy.

If offline usage is enabled, recipients can also use policy-protected
documents offline (without an active Internet or network connection)
for the time period specified in the policy.

How policy-protected documents
work

To open and use policy-protected documents, the policy
must include your name as a recipient, and you must have a valid
document security account. For PDF documents, you need Acrobat or
Adobe Reader®. For other file types, you need
the appropriate application for the file with the Acrobat Reader
DC extensions installed.

When you attempt to open a policy-protected document, Acrobat,
Adobe Reader, or the Acrobat Reader DC extensions connects to document
security to authenticate you. Then, you can proceed to log on. If
the document usage is being audited, a notification message appears.
After document security determines which document permissions to
grant, it manages the decryption of the document. You can then use
the document according to the policy confidentiality settings.

The steps in the diagram are as follows:

The document user opens the document in a supported client
application and authenticates with the server. The document identifier
is sent to the document security server.

Document security authenticates the users, checks the policy
for authorization, and creates a voucher. The voucher (which contains
the document key and permissions) is returned to the client application.

The document is decrypted with the document key, and the
document key is discarded. The document can then be used according
to the confidentiality settings of the policy. These tasks are performed
in the supported client application.

You can continue to use a document under these conditions:

Indefinitely or for the validity period that is specified
in the policy

Until the administrator or the person who applied the policy
revokes access to the document or changes the policy

You can also use policy-protected documents offline (without
an Internet or network connection) if the policy permits offline
access. You must first log in to document security to synchronize
the document. You can then use the document for the duration of
the offline lease period that is specified in the policy.

When the offline lease period ends, you must synchronize the
document with document security again, either by going online and
opening a policy-protected document or by using a command in the
client application. (See Acrobat Help or the appropriate Acrobat Reader DC extensions Help for
details.)

If you save a copy of a policy-protected document by using the
Save or Save As menu command, the policy is automatically applied
and enforced for the new document. Events such as attempts to open
the new document are also audited and recorded for the original
document.

Policy sets

Policy sets are used to group a set of policies
that have a common business purpose. These policy sets are then
made available to a subset of users in the system.

Each policy set can have one or more associated policy set coordinators.
The policy set coordinator is an administrator or a user who has
additional permissions. The policy set coordinator is typically
a specialist in the organization who can best author the policies
in a particular policy set.

Policy set coordinators can perform these tasks:

Create new policies

Edit and delete any policy in the policy set

Edit policy set settings

Add and remove policy set coordinators

View policy and document events for any policy or document
within the policy set

Revoke access to documents

Switch policies for the document.

Policy sets are created and deleted in the document security
administration web pages by administrators and policy set coordinators
who have permission to do so.

Policy sets
are generally made available to a limited number of users by specifying
which users or groups within a domain can use the policies from
the policy set to protect documents.

When document
security is installed, a default policy set is created called Global Policy Set.
The administrator who installed the software manages this policy
set.